There are basic issues with keeping the system clock running the same on virtual servers as on physical servers, so I suspect we might have similar problems if we had physical app servers and virtual Zimbra servers. Is there some way to relax the 5 minute time window for the preauth token? Or is there some other way to do preauth with Zimbra that won't break if the system clocks on the various systems drift out of sync?

I would check expiration settings, which you provide by preauth token and methods of generating token timestamp in your web applications.

Yes, there can be a time fluctuations on virtual systems, but not so big, as in your mentioned log file, if you deal with these issues using timeservers. You can correct time frequently.

The other way is to use Zimbra LDAP for user authentication from external web app. There are some issues concerning new user registration and password sync between systems, but that is another discussion.